https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356729#M174849 <P>If I am correct in assuming the number in bold is the response time, you an extract it via the search like this:</P> <PRE><CODE>YOUR BASE SEARCH | rex field=_raw "\d{3} - (?&lt;responsetime&gt;\d+) \"" </CODE></PRE> <P>You can also use the field extractor in Splunk to do this pretty easily by choosing a sample event and highlighting the value. The field extractor will generate the regex for you, though in some cases you may need to edit that and tweak it. In this case, I think Splunk would probably do a good job at grabbing the correct value. With this method you will always get the field at search time without having to extract it in your searches.</P> <P>If you did want to tweak the regex, or write it yourself, a great tool to use is <A href="http://www.regex101.com">www.regex101.com</A> to build those regular expressions.</P> Mon, 01 May 2017 13:27:33 GMT kmorris_splunk 2017-05-01T13:27:33Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356725#M174845 <P>The information has already changed.............</P> Mon, 01 May 2017 13:06:54 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356725#M174845 cholt520 2017-05-01T13:06:54Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356726#M174846 <P>you can use the field extractor:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> Mon, 01 May 2017 13:10:14 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356726#M174846 adonio 2017-05-01T13:10:14Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356727#M174847 <P>This works at search time. You could adapt it for use at index time.</P> <PRE><CODE>... | rex "\] \".*?\" \d+ - (?&lt;responseTime&gt;\d+)" | ... </CODE></PRE> Mon, 01 May 2017 13:15:08 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356727#M174847 richgalloway 2017-05-01T13:15:08Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356728#M174848 <P>via rex (in your search)</P> <PRE><CODE> ...| rex "\d{3}\s+-\s+(?&lt;ms&gt;\d+)" </CODE></PRE> <P>via props.conf (in search app - may require restart)</P> <PRE><CODE> [sourcetypeName] EXTRACT-ms = \d{3}\s+-\s+(?&lt;ms&gt;\d+) </CODE></PRE> Mon, 01 May 2017 13:16:05 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356728#M174848 jkat54 2017-05-01T13:16:05Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356729#M174849 <P>If I am correct in assuming the number in bold is the response time, you an extract it via the search like this:</P> <PRE><CODE>YOUR BASE SEARCH | rex field=_raw "\d{3} - (?&lt;responsetime&gt;\d+) \"" </CODE></PRE> <P>You can also use the field extractor in Splunk to do this pretty easily by choosing a sample event and highlighting the value. The field extractor will generate the regex for you, though in some cases you may need to edit that and tweak it. In this case, I think Splunk would probably do a good job at grabbing the correct value. With this method you will always get the field at search time without having to extract it in your searches.</P> <P>If you did want to tweak the regex, or write it yourself, a great tool to use is <A href="http://www.regex101.com">www.regex101.com</A> to build those regular expressions.</P> Mon, 01 May 2017 13:27:33 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356729#M174849 kmorris_splunk 2017-05-01T13:27:33Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356730#M174850 <P>Fyi, the leading .* is almost always assumed with Splunk regex</P> Mon, 01 May 2017 15:20:58 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356730#M174850 jkat54 2017-05-01T15:20:58Z https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356731#M174851 <P>Point taken. =D</P> Mon, 01 May 2017 15:37:04 GMT https://community.splunk.com/t5/Splunk-Search/how-to-extract-the-response-time-from-below-logs/m-p/356731#M174851 kmorris_splunk 2017-05-01T15:37:04Z